Secure the Web Service API calls

Sam Saha

Ranch Hand

Posts: 104

posted 4 years ago

I have an application. When we login to that application using userID and password it is successfully login to the application. Now in the front end of that application there are ajax calls which are calling Web-services API calls to retrieve the data. Now these Web-services APIs are not secured, means if you call that APIs from a browser anybody can see the data. But I want to secure the Web-service APIs so that only authorized users who can logon to that application can only call the web-service APIs. I am very new to this security and no idea how to secure the APIs. I would appreciate if someone can help how to implement security for these API calls. The Front end is written by php and backend is java.

J Dirksen

Author
Greenhorn

Posts: 13

posted 4 years ago

What kind of web services are you talking about? Are it webservices in the traditional sense with XML and SOAP or do you use a RESTful approach.

The most basic approach for both scenarios is using basic authentication on the HTTP request, this will allow you to at least restrict access to authorized users.

You talk about "anybody can see the data", what are you looking for; a way to restrict access to your API or a way to encrypt the data?

Sam Saha

Ranch Hand

Posts: 104

posted 4 years ago

I am new to this application. I am very new to web services as well.They are using using Restful services. When I say anybody can see the data means only the user who can successfully login to the application can only call the API and can access the data. Otherwise not. If you can give a design/implementation steps how to implement to handle that I can go through the steps and can implement that. Thank you very much.

J Dirksen

Author
Greenhorn

Posts: 13

posted 4 years ago

If you only want to expose this API to a logged in user the easiest way to do this is by adding basic/digest HTTP authentication to the rest call. There are many examples / steps how to do this. The basic steps are outlined in this stackoverflow post:

We have an application whose front end is written by php and backend is written by java. Front end server is apache and backend server is tomcat. Now user can logon to the application using their userid and password. In the front end Ajax is calling the API to retrieve the data. Now the API is not secured. Means from a browser if you call the API they will return you the data. So now the issue is if someone else create the frontend somehow and call that API they can also retrieve the same data, which is not secured.

So I have have secure the API somehow so that only the person who can successfully login to the application using userID and password can only call the API and retrive the data. Otherwise not.